Krebs on Security

In-depth security news and investigation

Credit Reports Sold for Cheap in the Underweb

Following the online publication of Social Security numbers and other sensitive data on high-profile Americans, the three major credit reporting bureaus say they’ve uncovered cases where hackers gained access to users’ information, Bloomberg reports. The disclosure, while probably discomforting for many, offers but a glimpse of the sensitive data available to denizens of the cybercrime underworld, which hosts several storefronts that sell cheap, illegal access to consumer credit reports.

Redacted screen shot of leaked records.

The acknowledgement by Experian, Equifax and Trans Union comes hours after hackers posted online Social Security numbers and other sensitive data on FBI Director Robert Muller, First Lady Michelle Obama, Paris Hilton and others.

Sadly, Social Security numbers and even credit reports are not difficult to find using inexpensive services advertised openly in several cybercrime forums. In most cases, these services are open to all comers; the only limitation is knowing the site’s current Web address (such sites tend to move frequently) and being able to fund an account with a virtual currency, such as WebMoney or Liberty Reserve.

Case in point: ssndob.ru, a Web site that sells access to consumer credit reports for $15 per report. The site also sells access to drivers license records ($4) and background reports ($12), as well as straight SSN and date of birth lookups. Random “fulls” records — which include first, middle and last names, plus the target’s address, phone number, SSN and DOB — sell for 50 cents each. Fulls located by DOB cost $1, and $1.50 if searched by ZIP Code.

Credit report lookup page at ssndob.ru

It’s not clear from where this service gets its credit reports and other data, but it appears that at least some of the lookups are done manually by the proprietors. Pending new records requests are tracked with varying messages, such as “in queue,” and “in progress,” and often take more than 15 minutes to process.

A source who agreed to have their information looked up at this service provided his Social Security number, date of birth and address. Within 15 minutes, the site returned a full credit report produced by TransUnion; the report, saved as an HMTL file, was archived in a password protected zip file and uploaded to sendspace.com, with a link to the file and a password to unlock the archive.

TransUnion officials could not be immediately reached for comment. But the Bloomberg report quotes a TransUnion spokesperson saying that “the hackers had considerable amounts of information about the victims, including social-security numbers and other personally identifying information.” What’s interesting about ssndob.ru is that a full credit report requires knowing the target’s first and last name, address, ZIP code, city, state and SSN. While that may seem like a tall hurdle, this same site offers the ability to look up SSN and DOB records, presumably from a different database, for $1.50 per record pair.

One possibility is that the proprietors of this service and others like it are taking data gleaned from various sources and using it to pull credit reports from annualcreditreport.com, a government-mandated Web site created by the three major credit bureaus to help consumers obtain annual free copies of their credit reports.

If annualcreditreport.com is indeed the source of this information, it would be highly ironic. The site was the product of the 2003 Fair and Accurate Credit Transaction Act, a law intended to reduce identity theft which required each of the 3 major credit bureaus to provide consumers free access to their credit reports. The irony is that despite the free availability of these reports to consumers, the credit bureaus have for years touted consumer credit reports as a major benefit of signing up for pricey credit monitoring services, as shown by the success of television ads for services like freecreditreport.com.

You can find how the credit report was pulled by getting a new credit report. Each credit report pull is logged and the business/phone number of the place that pulled it is listed on this report. The best way to determine which company pulled it (there can be numerous ones) is to do a before and after credit pull. The anomalous one will stand out.

I looked over some of the information on that celebrity doxxed website using web-sniffer.net. To me , the celebrity addresses look outdated, like what you would find on many online websites that do people searches and or background checks. Clearly no one has actual verified that the social security numbers are 100 percent correct. I would think that in the case that they where ,the FBI and or Secret Service would surely investigate how the First Lady’s and Vice President Biden’s personal information ended up online. I don’t think some stupid person signed up for a hosting account in the United Stated and willingly posted this information without any thought of the severe consequences that would occur. To me this is another example of how the underground criminal element can brag about their abilities by proving that they can get the attention that isn’t deserved

Well, remember how Palin had a yahoo email? Could of been way before, one night, they had the bright idea to look up their credit report in the same manner other people do, or something. Or maybe through somebody they purchased a car through, or a home. They’re people that put their pants on one leg at a time like we do.

In the Sara Palin case, that young kid ended up in Federal Prison over sheer stupidity. In the case of the site “exposed.su”, I don’t think the miscreants behind the site are living in the United States , but that’s just my opinion.

I just found out a week ago that two dead, very close, relatives of mine are having their information used still. One idea is they pull some of the information from obituaries. I wasn’t sure how anyone got a hold of their SSNs though, but probably in a manner similar to this. It’s pretty sickening to think their SSNs wouldn’t be flagged anyway, because ya know, they’re not alive.

Hey, it says it’s quick, easy and secure, that’s all I need to know! Oh look, here’s another site that says it’s ALSO quick, easy and secure. I better fill in my stuff here too! What? The legit sites are comprised! Ruh roh!

It’s interesting that you bring up the IRS. I prepared my US Tax paperwork using TurboTAX. My husband pressed me to click the “submit now for free” button (built into turbotax). The fine print said to the effect that ALL data sent to the IRS is also retained and kept by TurboTax. Yea, count me out. Why does TurboTax (intuit) need ANY of that? Thanks.

Because – if you need a new copy of your return, because the original is lost – you get a copy cheaper(or free) from your preparer, than from the Federal IRS. If there was one thing I feel we need to demand from our representatives, is that we have FREE data access to our tax records!!! After all WE ARE THE TAX PAYERS!!!

It is just ridiculous what the IRS charges for a backup copy of the tax return!!!

“It is just ridiculous what the IRS charges for a backup copy of the tax return!!!”

—
Nothing is free. It costs the IRS something to manage and secure the returns data.

I would rather you figure out how to print your own tax return and keep a copy of it than the IRS use my tax money to support people who can’t seem to do the simplest things like manage their tax return documents themselves..

I still say it is nonsense to charge a tax payer for that service. They have to store it anyway for IRS records right? So it cost them almost nothing to output it. If they wanted to charge a security in discharge fee, for $20 bucks or so maybe I’d bite. But HUNDREDS of dollars for three years returns!?!?
R-I-D-I-C-U-L-O-U-S >:-(

The IRS, indeed, stores its paper returns in huge warehouses. It costs approx. $5/return. These are the original returns filed by the taxpayers. The information from the returns is entered into computers and archived, as information to be processed, not as scanned images.

The IRS can readily and at no cost to you provide you with the information found in the returns. However, the act of actually walking in a warehouse, finding the returns, photocopying them, returning the records to the original location, and mailing you the info is a lot more costly, so I am not surprised that they charge you for it. 99% of all people need the information only.

The returns that were lost probably were paper returns during the mid-nineties – I’ve been doing them electronically every since that came out as an available service – the states took a little longer. I was not aware you could get an electronic copy for free though. I’ll believe it when I see it. Hopefully never again, in my case.

Just my opinion, but when I checked, Turbo Tax had too many hidden charges. I’ve used Tax Act the past 2 years and like their software and service. Tax Act will only save your data if you used the paid ($9.95) version, but it’s well worth it – it really helped a lot with this year’s return, not having to re-enter the basic data from last year.

As for keeping (retaining) your information, Tax Act as well as Turbo Tax and the other companies have strict privacy policies, and won’t divulge info unless required by law (court order, etc.).

As an IRS employee, I am AGAINST electronic filing of tax returns. For the sake of the taxpayer, paper returns filed by mail or in person are the most absolute surest way your records are filed correctly and without errors.

I also want to add here, is that if someone on the internet knows enough about a targeted person their is a certain online website (which I won’t disclose) that you can obtain a person’s Experian credit report by way of a throw away email account. I will tell you this, the security questions asked by credit report websites are pretty easy to guess. If you know enough about a person it’s almost guaranteed that you can view and obtain their credit report in about ten minutes .

Agreed with security questions. Less you generate them the same way as your passwords, they’re the weakest link. Again, that was how Palin’s yahoo was gotten into by that kid, who through bragging and sharing that information, was found out.

From the above link it states “We have seen two tweets written in Russian from an account which appears to be associated with the site, and the words on the newly created website itself. It looks as though the hackers have been adding more stolen personal information to the site over time, which might suggest that there could still be more to come. The nature of the content – names, social security numbers, previous addresses, dates of birth, etc – suggest that a credit agency might have been compromised in some fashion. Whether an agency was actually hacked, compromised in some other fashion, or whether an insider within the organization leaked the data, is impossible to say at this point.”

I’m starting to believe that we need to demand a law that the big credit reporting agencies provide free credit locking service. What I mean is it would be like the paid services like Life Lock. Why should we pay for something that should have been protected in the first place??

And can I just add how much I hate those “free” credit report dot com commercials… Free? Ha, what a joke. But they must be suckering enough people to make $$ hand over fist considering how often those annoying ads air.

Another irony is that, if the proprietors of this service and others like it are taking data gleaned from various sources and using it to pull credit reports from annualcreditreport.com, when they pull a report for you from one of the three major credit bureaus, you won’t be able pull one from the same bureau through that website, since the miscreants have already used your one free report for that bureau for the year.

I suppose if you don’t use the website annually, you could take the message that you’ve already gotten your free report as a sign that someone has already stolen your identity.

All three credit bureaus now outsource most jobs overseas to India and who knows where else.

I kid you not.

They have full access to our identifications and financial information. For EVERYONE. In this day and age of identity theft, I think its scary for our gov’t to let that happen.

On another note, my Grandfather recently ran a credit report from some company that didn’t give him a real one. So I told him to write a letter to the credit bureaus for a full report. I gave him the addresses and informed hes allowed one free report a year.

Well he went to the experian website instead. They charged him, and got him for 20 dollars every month for six months. He has no recollection of signing up for anything. So imo the credit bureaus themselves can no longer be trusted. Things are frightening.

I recommend writing a letter to request a repot and mailing it the old fashioned way if you want your free annual credit report. Thats what i do for borrowers in the mtg industry.

Unfortunately the elderly are prime targets for scumbag tactics. Like defaulting you to signing up for a service when all you want is just a one-time credit report, and with poor vision & failure to pay adequate attention (a combination that occurs often in elderly individuals) you end up agreeing to terms buried in small text legalese. Hell, in online forms the legalese usually takes the form of a link to a second page, which is the only way to see all the terms you’re agreeing to, so if you don’t read the first page well you won’t see the link, nor the legalese, and have no real recourse short of having a lawyer send them a nastygram.

Welcome to the corporate world. They can’t make money honestly and still pay executives their grossly over-inflated salaries, so they resort to dishonesty at every turn.

Assume your Critical PII is, or will be compromised.
Get over that.
(Most private firms will live up to your expectation of compromising your PII, via either an interior or exterior breach, but alas you won’t know that unless you live under CA’s data breach law.) Breached public entities are normally exempted from state breach laws. (There is no Federal data breach law.)

What to do?
Look up your state’s Security Freeze law and sign up for it, what ever the cost, no matter how weak it may be (thanks to your legislators), at all three Credit
Reporting Agencies. Then do the same for your spouse.
Then no matter how many times your PII is breached, nobody but you will be able to open new (fraudulent) accounts with your PII, in your name at financial institutions.
Also, never give ANYONE, not even your banker, the SecFrz PIN that each CRA will give you.

When looking for a new rental home in Silicon Valley, one nice sounding condominium responded to our Craigslist inquiry with a note that an opportunity to view the place was coming but that the responder said her husband wants you to have a credit report, just the first page, right, and they are using that to see that you are a serious tenant, they weren’t going to care about the values of the credit report. For convenience, they wanted the potential person to click on a link for Experian’s free first week registration. My wife did that and it took her to the Experian site and she got the full report. When we didn’t hear from the property, I looked at that email and found the link was an image and the actual link was to Eastern Europe (by whois check). It looks like they were using a man-in-the-middle technique to watch her registration (ssn, …) Maybe that is one way the information can get at it. Craigslist and Experian have not responded to our query about whether they knew about it. We had two other rental listings that had the same (exactly the same) story and link in follwoing weeks. The locations of the properties were in popular housing areas for Silicon Valley, but no actual addresses were given.

Very informative and pretty sad as well, to say the very least! Thank you. In my recent searches I was able to find some good information relating to this subject when I googled the credit locker university.

this is the Fair Credit Act, save it to your comp. so you always have it to reference (note-this is for people who are dealing with false accounts on their reports and are doing credit disputing because of it)

you can go to annualcreditreport.com and doonawld a report from each credit bureau free. you will have to give some personal info to prove who you are. you get one free report a year. if you get turned down for credit because of something that was on a report you can get another one from the bureau the company used to check your credit. if you want your credit score you will have to pay for that.